Slashdot Mirror
MS Critical Patch Fixes 8 Vulnerabilities
nandemoari writes "A hole allowing hackers to take control of Microsoft Exchange was just one 'critical' issue the Redmond-based company promises it has fixed with a patch correcting a total of eight vulnerabilities in its programs, including the Internet Explorer browser, Office, and its SQL Server.
Three of the eight vulnerabilities patched yesterday were marked 'critical.' The most concerning is an issue with Exchange that would allow attackers to take over an Exchange server by simply forwarding a carefully crafted message to a corporate mail server. Microsoft has admitted that the vulnerability can be exploited when a user opens or previews an email in the Transport Neutral Encapsulation Format (TNEF)."
Many people would love to outsource management of Exchange server, and it's even better if someone wants to do it for free.
it seesm the updates delete some critical files from the reports I have seen
I don't know anything about Exchange but you mean to tell me that someone sending an email to an Exchange server can allow it to take over the server? It's one thing for hackers to rely on social networking and fool a user into executing an attachment. It's another thing to be able to takeover simply by sending a message.
Well, there's spam egg sausage and spam, that's not got much spam in it.
It's all closed source, so there aren't any real vulnerabilities. Even the certified professionals say so. They're certified what more do you need !
As if you could spread havoc through email on a proprietary system. Bah.
May contain traces of nut.
Made from the freshest electrons.
the IE fix ONLY affects IE 7. If you're running IE 6 (or even 5) on any platform, you don't have a patch to install.
Could it be, *gasp*, that IE 6 is more secure than IE 7? The mind wobbles.*
*For you yungins, go look up Kelly Bundy and the above phrase.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
OH Heavens! A local vulnerability which could leave to privilege escalation!
The exchange bugs in question were remote hole mr troll.
Why in the world would an e-mail delivery system ever consider executing external code? Exchange should simply look at the delivery address. If it is a local address, place the message in the user's mailbox. If an external address, forward to the next hop. What's so difficult with that task?
CommuniGate Pro has never had this problem. IronPort appliances don't have this problem. Exchange should stick to its sole job as a delivery agent and stop trying to be so smart.
Can't we live without OLE?
signature pending slashdot approval
Now I know why Microsoft calls it "Exchange"!
There is a difference between the hole you posted and the one that is being discussed though, a very big difference.
The security hole in the Kernel that Ubuntu fixed required local access to the machine in question, the exchange bug could be exploited by sending the server an email so not access what so ever was required.
Privilege escalation vulnerabilities are generally considered to be of a lower priority to fix and not as severe as you must have modicum of trust in order to give someone a shell account. No trust is required to send someone an email.
I dont read
I don't use Outlook but it's on my box, do I have to patch it?
Of course not, they get them on a daily bases, per app.
I wouldn't surprise me if the sum development time on the core system and apps of any given Linux install was greater than that of any given MS install, for any given duration.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
the exchange fix is part of exchange rollup 6 which showed up in wsus yesterday:
http://support.microsoft.com/kb/942846
specifics about the vulnerability:
http://www.microsoft.com/technet/security/bulletin/MS09-003.mspx
Hang on I'll send an email
You realise that the topic is about Exchange.
None of the products mentioned provide the functionality Exchange has.
One minor quibble, though: there is still no full fledged open source replacement for the entire Exchange+Outlook functionality suite.
Crackberries and other PDAs sync with Exchange and Outlook. BES requires Exchange. You can make public and personal calendars shared across the company.
There just aren't open source equivalents yet for all the bells and whistles these sales guys and CxOs have come to rely on and until you do, Exchange will not get replaced.
Microsoft has gotten a large amount of heat for its operating system. In large part due to the number of well crafted viruses that exploit weaknesses in the programming. Apple was long toted to be virus free. That was only due to the obscurity of the system and people's willingness to write viruses for it. I don't think we should bash the quality of Mircosoft's code because anyones code can be full of holes when people work at breaking it. I think Microsoft's issue is updating. Update when the exploit is found not the second Tuesday of the month after the exploit has been abused for a while.
My time is valuable. I don't have all night to sit up recompiling to get the thing to work. Oh, and don't forget the legions of friendly, helpful Linux users who will be glad to listen to my problems and recommend a solution.
BES supports all three major groupware suites:
http://na.blackberry.com/eng/services/server/
My time is valuable.
So is everybody else's.
I don't have all night to sit up recompiling to get the thing to work.
FUD alert FUD alert FUD alert.
Oh, and don't forget the legions of friendly, helpful Linux users who will be glad to listen to my problems and recommend a solution.
There are legions of helpful companies who will charge you money to support you and it will still cost less than Window$
No, it was called Linux very early on, somewhere around 0.9, by one person, in 1991 (not the 80s); and the number of developers involved is still quite short of "millions of guys".
Gamingmuseum.com: Give your 3D accelerator a rest.
You realise that the topic is about Exchange.
None of the products mentioned provide the functionality Exchange has.
The topic is about patches to Windows and its services, and this indirectly about the piss poor reliability and quality of Windows.
OO.org is pretty cool. Some parts of it are definitely NOT as good, definitely ont better, than MS Office. MS Office is actually, in my opinion, a pretty good product. Impress vs. PPT, PPT wins hands down. Writer vs. Word ... well, writer is actually pretty good, though Word 2007 has some default nice-looking document stuff going for it. Me personally? I use OO.org. But I can definitely see how it isn't for everyone.
Slick, beautiful, and easy to use. Let's see, I just installed openSuSE 11.1 on a Dell E1505. It works pretty well (had 10.3 before that, by the way). First problem: knetworkmanager and WEP: fail. It wouldn't put in the write key; had to use iwconfig to manually configure it. Has never worked for me. Windows could do WEP fine. (note: I use WEP just to keep my neighbors off. I know it's easily cracked, I've cracked WEP myself). Second problem: ATI Mobility x1400 drivers. Downloaded ATI installer; fail. Tried various things. Finally installed RPM, that worked. I think what happened was the kernel source wasn't installed, thus the ATI installer didn't compile the driver, etc. But all I got was a black screen. Oh, you want users to dig through logs in random directories? Easy to use... Windows drivers worked fine.
Third problem: can't turn off the annoying PC speaker. I could with Windows. Fourth problem: Suspend to Disk doesn't work with Compiz/XGL, it comes back up with a black screen and a mouse cursor. Have to kill X and start it again. It worked fine with Xorg but not with XGL. Unfortunate, too, since I kinda like suspending and have to do it to disk because the battery is completely dead. Windows worked fine.
It's working now, and I like it. I've always liked Linux. Interestingly, though, my wife said this (she is not a tech person): "I don't think I like Linux... it doesn't do what you expect it to." She can use it, when it's working. When it stops working, she has no clue what to do. When X doesn't boot up for whatever reason, she doesn't know the "startx" command. If that doesn't work, she doesn't know about the kernel bootoption "x11failsafe." Easy to use!
I haven't tried Ubuntu specifically on my laptop, so I can't comment on its compatibility.
All this to say: switching completely from Windows to Linux is NOT for the person who doesn't have time to fiddle with stuff (i.e., spends maybe an hour a day on their computer) and doesn't have someone that can do it for them/fix it for them. Me? I can use Linux, and my wife can, because I can fix it. My parents? Same thing. I can set it up and fix it. Other people may not be able to.
(*waits for mod -5 Doesn't support Linux in all situations. :) )
Last final note: I work with Linux all day at work, and I've used quite a few versions (including Puppy Linux, tinyMe, Mandrake, SuSE, RedHat, Ubuntu, Fedora, Knoppix, Slackware, and a few others that I tried out on some old hardware to see which ran best). I really like it. I have also used Windows 3.1, 95, 98, 2000, XP, XP x64, 2003, 2003 x64, 2008, 2008 x64, Vista, Vista x64, and 7 x64.
Lastly, Wine does not work for all applications, virtualization is not "easy" to use, and I have a few other gripes about the easy to use camp but this is long enough :) hehe.
I sound bitter. Oh well, I'm not. I'm happily using Linux+KDE4.2+XGL+Amarok as my cool little media center!
when i can play every game i've purchased in the last 15 years out of the box NATIVELY without having to run it in wine, cedega, crossover or whatever the fuck the new "emulator" is these days, then i'll consider switching to linux.
When you can do that in Vista or Windows 7, let us know. Most programs written in 1994 won't even run correctly on Vista or XP. A lot of programs written prior to 2002 for DOS Windows (95,98,98SE,ME) have difficulty on the NT kernel line.
Hehe, after posting a negative response to your original post ... I have to say that not only are there helpful companies who will charge less than supporting Windows, but there ARE quite a few helpful Linux users. It seems to vary by distro.
No, it was called Linux very early on, somewhere around 0.9, by one person, in 1991 (not the 80s); and the number of developers involved is still quite short of "millions of guys".
What is now Linux started, possible as early as the lat 60s, but definitely by 1984 in the form of GNU. The Linux kernel didn't come on the scene until 1991.
OO.org is pretty cool. Some parts of it are definitely NOT as good, definitely ont better, than MS Office.
This is a subjective evaluation and very open do debate. Since the two products are not from an "identical" specification, it is impossible to evaluate how one is better than another based on a side by side comparison. We have to weight the features of one against another, factor in quality, and weight the feature sets. MS Office does have more features, but by and large, not features the 99% of the users will ever care about.
For me, the built in "Export to PDF" is a huge feature.
I am not surprised by the announcement of these major flaws, many directly related to MS proprietary components/protocols. Microsoft has a history of manipulating open standards into MS proprietary protocols in order to prevent development outside Windows. However, as a result, Windows OS's become less compatible with other OS's and do not reap the benefit of improvements to open source alternatives made in the open source and standard organization communities. Several examples of flawed Windows proprietary technologies: WMI (no longer supported in newest Windows Servers), Direct X (unstable and high overhead compared with OpenGL), UAC (worst Vista feature) and Windows Automatic Updates (incremental updates with multiple reboots to update, memory leaks and high resource consumption under idle conditions).
Posting this sort of bullshit on Slashdot just comes off as being unbearably smug and condescending. Go take it to a windows forum or Expert Sexchange or wherever. Everyone here knows about Linux.
On top of that, like a lot of smug amateurs, you don't have any knowledge whereof you speak. Lack of Exchange is a deal breaker for a huge chunk of the business world.
Until there is a real Exchange/Outlook replacement that is available open source, people are never going to drop it, because, for them, the functionality outweighs the cost. Whining about viruses and crap is meaningless to them because they've been conditioned to expect viruses, and because the maintenance costs (and the blame for failures) are borne by the IT staff. Not management. Not users. Not microsoft.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
I'd prefer to have a non-optimal tool to fulfill a job than no tool at all.
But for those that see open source as a religion instead of a means to an end, they'll prefer to have no tool and just the moral high horse.
You can debate it all you like, but the simple fact that the free product has practically no marketshare compared to the product that costs 500 bucks a license is pretty fucking telling.
Firefox proves decisively that the superiour product will make strong gains even against an entrenched monopoly. That OO.org is still languishing in obscurity has more to do with it's flaws than some gigantic conspiracy of users who just can't think of anything better to do with their money.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
You know what the difference between Wine and the layer in Windows that lets you use 9x applications is?
Most people who use Wine know it exists and what it does.
Aside from that, you can throw out any game made before 2000 or 2002 as it is not run natively on Windows 2000/XP/Vista/7 either.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
The verbiage there is mind numbingly stupid. I quote, "Ubuntu became the latest Linux vendor to patch a vulnerability in the open-source operating system's kernel". In other words, a kernel fix was made available and it was applied. They make it sound like it has far reach consequences and by have multiple distros, the problem is somehow made far, far worse.
Huge difference between local and remote exploits. The fact you seem to not understand the difference squarely places you into your own worst scenario, "False sense of security is the worse security."
Since I'm the only user on my box I don't think I have to worry about me exploiting my self and doing unknown harm.
Export to PDF *is* a pretty good feature. Huge? Not so much. It's easy enough to print to PDF, do a postscript printer to file output and convert it to PDF, etc.
99% of the users will never care about most MS Office features? What was that about subjective evaluation? :)
What really has to be weighted is user usability/user usage efficiency, right? what is important in an "office productivity suite" is how productive a user can be with it. My own experience (no, I haven't done a double blind study of "never used productivity suite before" people or something, hehe) is that Office 2007 (and Office 2003 before that... I think it was 2003...) was easier to use and easier to create nice-looking documents right off the bat. It was also much more expensive. I found OO.org good for word documents and spreadsheets. I found Powerpoint far superior with presentations (and, ironically, faster and less jerky with far fewer quirks ... I am not at all impressed [pun not intended] with Impress).
....What "carefully crafted message" would I need to send to take over an Exchange Server?
To: ExchangeServer@company.com
Subject: H3ll0
I 0wn you Now. Please reply back with passwords.
Regards,
Hax0r
Do not read this
Well, this little Slashbot has certainly been studying his talking points. I'm sorry to inform you, but this flaw is not in the underlying protocol; it is in the implementation.
As for your other allegations...
WMI is not only supported in Windows Server 2008, but additional providers have been added. This is the most ridiculous of your claims as it has absolutely no basis in reality whatsoever.
I don't know enough about DirectX to comment on your assertion, but I suspect you are probably equally delusional.
UAC is just a band-aid; it is better than nothing, but it doesn't fix the underlying problems.
I do agree that rebooting for Automatic Updates is a pain. However, I've never even heard of anyone complaining about memory or resource usage or leaks while using it.
Out of the 5 pre-2000 games I have cared to load up on my Vista x64 box, 4 have run natively w/ very minimal tweaking.
That's nothing! If you boot Windows forwards, it loads Windows!
You know what the difference between Wine and the layer in Windows that lets you use 9x applications is?
The Windows layer actually WORKS? Wine doesn't work well. It has never worked well. There are millions of people who will tell you that it works well. They are liars.
So having addressed the FUD, look at your main point. "Windows OS's become less compatible with other OS's and do not reap the benefit..." Windows has never tried to be compatible with other OS. When it comes to Windows compatability I would go so far as to say they've done a damn good job (possibly *too* good) considering the mess with which they're keeping backward compatibility and the crud that keeps getting carried forward.
Microsoft may have many faults, but you seem to have missed the mark.
... and Exchange 2003 stopped delivering messages to mailboxes.
Rolled it back, and everything worked fine ^H^H^H^H just as it used to.
I may be missing the point of these "fixes", but surely "security updates" should actually be tested at some stage?
Gah, I edited out part of my post... I originally had "(or those...other two)" in there.
What I was aiming for was that it'd take more than sendmail to get blackberry users happy.
But for those that see open source as a religion instead of a means to an end, they'll prefer to have no tool and just the moral high horse
It is easy to paint someone's position as "extreme" in order to make yours more reasonable. It is a isotope of ad-hominem.
The opposite is true, of course. We open source/free software people are very practical by nature. We see and understand that "better" software isn't just an arbitrary and subjective feature set comparison. It is quality. Flexibility. Durability.
Having used Microsoft office, WordPerfect, WordStar, Quatro, 123, Hollywood, Applix, OpenOffice.org, and so many others, I can honestly say that OpenOffice.org is a better over all system for anyone who cares about their content.
Actually, they aren't running natively. They are running in an API translation layer similar (but more compatible) to Wine. That layer just happens to come pre-installed in your OS.
I'll grant you it's more refined and works better, but it is still there.
as I said above:
Most people who use Wine know it exists and what it does.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
You're wrong about WMI - no longer supported in Exchange - EWS used instead. While it still exists, it is continuing to be replaced by other Microsoft protocols for Microsoft Server products, like Exchange and MS SQL Direct X - requires more hardware than OpenGL to run and many third-party developers will report problems programming under this API - XBOX issues have occurred as a result of Direct X instablities Also, you clearly know little about OpenGL if you think it is less stable and performs poorer than Direct X. UAC - seriously, what use is this - can I really be more secureusing an annoying pop-up notifier? I think not. Automatic Updates - seriously, show me another update manager that is worse. Examples that are much better: linux yum and OS X Software Updates. Furthermore, what is the point of an OS that isn't compatible with anyone else???? Windows is rarely compatible with their own legacy software, let alone others...
Win98 doesn't need any of these silly patches, so is it also more secure?
If you run a Groupware server, you're not running it for yourself. You're running it for the users.
It doesn't matter if you think that Evolution or whatever beats Outlook/Exchange, it matters if everyone else in your company does the same. If they do, good for you.
Please go back to reddit and/or digg.
And ffter using it, they quickly learn what it doesnt do...
...which is run most windows applications
"His name was James Damore."
Most, applications have issues, but mainline apps tend to work rather well. Lame as it seems to say so, the compatibility has skyrocketed in the last 6 months. 6 Months ago, I'd have agreed with you. There weren't many applications that worked well. Now, between what does work well, and what is freely available, Linux and FreeBSD offer access to pretty much whatever you need from Windows.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
A local exploit is a potential problem even if you're the only user. If an attacker combines a remote non-root exploit (say an Apache bug that gets him access as the 'nobody' user) with a local exploit (that upgrades 'nobody' to 'root'), he now has a remove root exploit.
Local in this case just means a logged-in, unprivileged user that can run arbitrary code.
Read up on blended threats.
Hands in my pocket
Have you evaluated Zimbra?
At my company (I'm CTO) we have a mix of Windows, Mac, and Linux clients. (Sales/Support use Windows/Mac, tech dept is nearly all Linux) Throw in a few palm and Windows mobile phones, and you have a support nightmare. Supposedly, Zimbra supports all of these without issue.
I'm in the beginning stages of implementation (just allocated a dual-CPU server to trial it on today ON CentOS) but I'm wondering if anybody out there has anything to say about this?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
That OO.org is still languishing in obscurity has more to do with it's flaws than some gigantic conspiracy of users who just can't think of anything better to do with their money.
What rock have YOU been under?
Gross market share moves slowly. Great change takes years or decades, and if you see change where the majority product becomes a minority in 10 years, that's very rapid change. There's every sign that this is, in fact, happening. It's by no means comprehensive, but it's pretty clear that OO.o is making some pretty serious headway. Whole nations are standardizing on Open Office!
And on a related note, OO's document format, ODF, is now a recognized international standard, is a mandatory standard for NATO, and is also being adopted by governments around the world.
It may not be all that visible where YOU sit, but the impact is both real and international in scope.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I guess it's changed a lot then. The last time I tried to use Wine I was able to bring up the Internet Options control panel and... that's about it. After hours of pouring through how-tos and mailing lists I gave up. That was about a year ago.
IE is tricky, but most MS apps that are tied to the core of the OS and undocumented APIs are.
Surprisingly, MS Word and Excel work pretty well. There are a few games, but to my knowledge, nothing particularly new.
Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
Since I'm the only user on my box I don't think I have to worry about me exploiting my self and doing unknown harm
How do you know you don't have DID? ;)
Free Martian Whores!
I first used OO.org in 2002, which is before Firefox even existed as anything other than Mozilla bloatware. Since then OOO has managed to pull what, single digit marketshare? And since then Firefox has topped 20%!
Open Office has HAD a fricking decade. To have to have a government mandate to drive adoption for a FREE product? You think that's a good thing?
Every new release of OO I load it up, play with it, then never use it again. It's not that I love MS Office, it's that there are other OSS products that do a better job.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Sorry forgot the quotes on native... Everything runs through APIs.
If you want to get overly semantically anal, 4 of the 5 pre-2000 games I've loaded in Vista run w/o resorting to compatibility mode, not to mention a good deal better than in Wine under Ubuntu.
That's at least as informative as most of the other comments here...
In all fairness regarding Exchange, things break on every release. My comments regarding backward compatibility were specifically regarding Windows the OS, not the Microsoft server applications. While there are some good ones (SQL) there are some terrible ones (Exchange, SMS) too.
.DOCs are the "standard" or have to access corporate web applications that only run in IE you see the point very clearly.
Regarding performance, both APIs are functional. DirectX is more an interface to hardware where OpenGL is a generic interface that may or may not be hardware accelerated. Performance is driven largely from the drivers. In my experience games that support both DirectX and OpenGL perform better in DirectX. Does that mean it's better? No, maybe Nvidia does a better job with DirectX than OpenGL. Regardless, you can't say one is always clearly better than the other.
Your UAC rant is still misplaced. I don't know anyone who likes the implementation. But what does it have to do with performance, stability or backwards compatibility with other software? It was a bad implementation of a good idea. Well, assuming you don't want to fix security (and break compatibility) with the Win32 API it's about the best you can do. An example of how MS tried to band-aid a poor design problem maybe. An example of broken backward compatibility it is not.
Okay, I'll bite on automatic updates. It's not the best. Nor did I claim it was. apt-get is better and my personal favorite. Solaris is on-par with Windows in that it will detect a "major" update and won't detect patches for that major update until the next time the update is run (possibly after a reboot). I've seen the same thing with OS X (such as after an iTunes upgrade). Why does Safari or iTunes reboot the computer? I have no idea. Why can't all update software look ahead and see if there are patches to what it has planned to install/upgrade? I don't know. What I do know is that Windows Update is not alone. Patching NetWare servers has to be many times worse than Windows.
I'm not sure how you miss the point of Windows (the OS) not being compatible with anyone else. They want it that way. POSIX wasn't implemented for a reason. You can't switch out Windows and replace it with something else without a huge investment (time and/or money). I am crystal clear on the issue of why it's not compatible with other operating systems. I don't suspect that it will ever change. Why would they want to compete against UNIX on equal ground when they have their own API that UNIX can't implement (or when doing so breaks apps because the API doesn't function as is publicly documented)? The only reason to be compatible with another OS is if you want to move applications between them. Microsoft doesn't want to. So what is the point of an OS that isn't compatible with anyone else? Money. And lots of it. And if you have to deal with the public sector where
As far as rarely compatible with their own legacy software? Well Vista broke some things in an attempt to lock things down better. A lot of the problems are due to bad coding -- code which if ran in *NIX would also not work due to some dubious assumptions on the part of the developer. The difference is in that *NIX software developer know (and often prefer) that their software will not run as root. Much of the MS software out there requires that it be run as an administrator. When you start locking things down (non-root users in Linux, roles in Solaris, SELinux, CSA and Vista/UAC) bad software breaks.
I'm not a fan of Windows for many reasons. One of those reasons is backwards compatibility. It's really, really hard to "fix" security problems with a bad API when you carry forward that bad API into every future release. Sure, some of the really bad API is removed (and applications break) but most of it has carried forward. At the expense of security, it has definitely allowed for backward compatibility.
I have an incredible philosophical problem with any software designed to cause code to run as a result of you receiving an email, and which then takes that email as its input data, particularly if it starts processing it before it verifies the referential integrity of the MIME container(s) in the message.
The primary reason OutLook has been such a cesspit of exploits is "Exchange integration". Loosely translated, this means that it ignores encapsulation enforcement by starting to interpret the contents of an email prior to verifying that the container object for the email itself is intact and contains what the headers say it contains. That it also runs code in arbitrary and unverified DLLs registered to handle decoding a particular MIME type when you receive an email, and AGAIN without verifying the referential integrity of the container is almost criminal.
You take those pieces away, and the "neatly integrated" quickly becomes not nearly so "neatly".
I have to agree with one of the other posters, that the best example of this done correctly is the server-side AJAX integration that's used in Zimbra. For non-Zimbra solutions, recognizing dates as things you can put on a schedule or addresses or signatures as things you can attach to an address book entry is about a 90% solution, and doesn't require the risk of premature decoding to make it work. Apple's Mail.app does this rather well, although it also is starting down the "active email message" path-to-hell blazed by Outllook, at least it's not turned on in the preferences by default, and container integrity is checked up front.
-- Terry
I agree that OS X Updates often do require one reboot, after the software update process is complete. This is still much better than Windows: Incremental Update, reboot, incremental update, reboot, etc.... As far as UAC goes, this is more of an example of a new, MS proprietary idea badly implemented that was used instead of embracing alternative security models that have existed for decades under UNIX. I'm not saying that other OS's don't have proprietary components, but if I write a program in Visual Studio with C++ and use Direct X or MFC, how do I port such a program to linux? I really can't. In the end, I would have to re-write most of the program. Compare this to proprietary UNIX-based OS's where ports are much easier to accomplish between systems. The purpose of technical standards is to integrate technology across vendors, which, does not really exist under the Microsoft philosophy to control their majority market share. So Microsoft's claims of compatibility are only true if you are using another Microsoft system.
You can try being an apologist for OO.org all you want. Unfortunately, there are still some large glaring holes in their product (even as of v3).
The latest one that I've run into is the Base component. Which doesn't offer any simple way to import/export data from CSV, XLS, tab-delimited or other external data files. For some of those data file types, you have to go through the spreadsheet component of OO.org, which is extremely convoluted. The equivalent in MS-Access is pretty much "File, Import" or "File, Export" (depending on the version of MS-Access).
Or say that I want to link to some MDB file. I have to create a registered data connection in order to do so. So for each MDB that I work with, I'm going to have to create at least one registered connection. Which is going to be damn ugly about the time that I start working with my 500th MDB file. On the MS-Access side, they've chosen to simply make that file-specific and if you need a global, permanent, registered type connection, you create a user/system DSN.
Now, that's not to say that OO.Base isn't getting better. But there are still some really really sucky UI choices that simply make getting work done harder then it has to be.
Wolde you bothe eate your cake, and have your cake?
I don't know how you can write that and be serious. OpenOffice is not a very well developed product, is not very flexible, and durability is in question because a lot of people end up throwing it out.
I'll give you a classic example which actually happened to me recently when I had way too many windows open on my Ubuntu setup. I opened my document with Openoffice, made some changes, hit save. Then went about doing other tasks. At that point I had probably 30 windows open so I couldn't see that I had left the document open so I just opened it again and started documenting more about our network. It was really more of a spreadsheet if I recall. Long story short, I hit save on the new document, at some point ended up editting the original that was still open and lost all the work in the second window.
MS Office would have opened it in read-only mode telling you the file was already in use which would have given the user a clue of what happened. Autosave is also a feature that is not on by default for some reason. Then of course there is the whole close button matter how it won't warn you about the document not being saved. It will just go ahead and close anyway leaving you none the wiser.
It has basic functionality that one would expect from an office suite but OpenOffice has a long way to go before it's going to be a true replacement for a great many people. I haven't seen that many content management systems integration nor have I seen change tracking which are all features users expect from MS Office and use rather regularly.
Of course in my environment I go one further with spreadsheets that are dynamically driven by our database which is still functionality lacking in OpenOffice. Combine all that with the fact that it loads slow as all get out and I clearly have a low opinion of OO.org
That said, now that I've learned a few gotchas I can work just fine in OO but the user seems to have to learn everything the hard way and that doesn't strike me as either a quality or flexible application.
Other than that I agree with your general principle that better is very subjective as one person my care so much about the cost of MS Office that OO.org being free and able to do the basic stuff suits them just fine, in that case then the product is indeed better for them than MS Office would have been.
Now compare with Firefox. Although Microsoft has tried to make the internet an IE only thing, they have failed due to the security implications of their chosen vehicle, Active X. Now Active X is dead, and the internet is open for any browser to compete. If I choose to use Firefox to browse the web, there's no customer whose business I might loose. Although there was an attempt from Microsoft to extinguish the web, the offer was less compelling than for office, so they lost.
So, yes, there is a gigantic conspiracy of users who just can't think of anything better to do with their money. It's called a Network Effect. OO has a hard uphill battle against this. You could easily put billions into creating the best office suite that has ever materialized, and still you would fail against MS office, as no individual can move out of using it without losing something.
I had the same with exchange 2007. Calendaring stopped working so I reinstalled rollup 5 and everything went back to normal.
As for your comment, one day when you move into the "real world" you will realize that you dont always have the resources to test every single patch that comes down the line. Id much rather have a microsoft patch fubar the machine than have a haxxor pwning it because i was busy testing a patch. At least when i have to explain to management why the email was down for 30 minutes, I can blame microsoft instead of saying that we got exploited (which would then become MY fault).
Not everyone can afford to have redundant everything. Especially machines that are only used for testing, and therefor not in a production environment, where it is easier to find bugs. Sure, if your exchange server services 2000+ users, or generates tens of thousands of dollars a day then maybe you can afford another machine to test on. Most people in the Real World do not have those luxuries.
As a potential lottery winner, I totally support tax cuts for the wealthy
I don't know how you can write that and be serious. OpenOffice is not a very well developed product, is not very flexible, and durability is in question because a lot of people end up throwing it out.
Without any actual facts to back that up, I don't believe you because my experience is entirely different.
Another feature I really like about OOo is the ODF format. It is documented and I will always be able to use my documents.
A local exploit is a potential problem even if you're the only user. If an attacker combines a remote non-root exploit (say an Apache bug that gets him access as the 'nobody' user) with a local exploit (that upgrades 'nobody' to 'root'), he now has a remove root exploit.
Local in this case just means a logged-in, unprivileged user that can run arbitrary code.
Read up on blended threats.
We need a section on Milw0rm called, "Will it Blend?"
Like sendmail has never had critical vulnerabilities in its address parsing code?
The last time there was a sendmail release for a major security reason was 8.13.6, back in March 2006:
http://www.sendmail.com/sm/security/
http://www.sendmail.org/releases/8.13.6
There was a DoS issue that was fixed in May 2006 (8.13.7).
It's by no means comprehensive, but it's pretty clear that OO.o is making some pretty serious headway. Whole nations are standardizing on Open Office!
So, 2009 will finally be the year of OO.org on the desktop? *yawn*
And on a related note, OO's document format, ODF, is now a recognized international standard, is a mandatory standard for NATO, and is also being adopted by governments around the world.
That's really good, but I doubt it'll help OO.org much, once MSOffice 2007 SP2 is released with ODF support.
TNEF was M$s way of punishing non-windows sites. Any message using M$ Outlook composed in rich text format is automatically sent in this proprietary format. There are free TNEF decoders (reverse engineered), but none is perfect. Most spam virus filtering gateways use these free TNEF decoders, so the bad guys can get their payloads into organizations by encapsulating it in TNEF that the free decoders can't decode, but the vulnerable soon-to-be-zombie pcs can. It also seems that a service pack for Office 2k3 has added additional cases where outlook encodes messages with TNEF.
It is petty, but... payback time-- no sympathy from me.
It is Microsoft Exchange Software Feature.
I'd like to buy homeland for our 10 million people. http://twitter.com/mahadiga
Every new release of OO I load it up, play with it, then never use it again. It's not that I love MS Office, it's that there are other OSS products that do a better job.
Other OSS products, such as... ?
Didn't think so.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Abiword is better than writer; Gnumeric is better than calc. Both of them are light and responsive, and if they lack features, it's only in comparison to Office, not Open Office.
End of story. Thanks for shopping.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
I can't believe this was modded insightful. In other words this local exploit is an issue because of imaginary remote exploits? WTF? That's like being worried about local exploits when I don't have physical security. If I don't have physical security, nothing else matters. If I don't have remote security, nothing else matters.
Simple fact is, first order concerns always are and always will be physical security and remote exploits; assuming a system with network connectivity. Period. Everything else is secondary.
This is not true. There are plenty of things in place on your linux box that minimize the impact of a network intrusion.
First of all, you run network services as nonprivileged users. If I find a vulnerability in your ntpd, and exploit it, I can't for example delete files or shut down the server, or setup a keylogger, because the ntpd user doesn't have the rights to do any of that.
You might even run certain services in chroot jails, where they have no access to most of the filesystem.
However, a local root exploit makes this all much more serious. You would be able to turn the unprivileged ntpd login into a root login.
If you don't run any network services at all (or you firewall them from the world), fine, local exploits aren't going to be an issue for you.
Hands in my pocket